NtHawk101
asked on
ASA 5505 to 2811 router configuration issue
My issue is I can traceroute from the 3550 and only get as far as 172.16.100.1 If I traceroute on the 2811 to outside, I can get anywhere I want. This would seem to lead me to believe there is an issue on the 2811 router. What am I missing? Is DHCP an issue on the 5505?
I bought some old network gear for a lab and now trying to set it up with a connection to my Comcast modem. I have a business class modem in bridged mode 0/0 - Global IP (Vlan2) 0/1 - 192.168.1.1 (Vlan10). DHCP is used on this device. Static route 0.0.0.0 0.0.0.0 (Global IP Gateway). Router EIGRP 90 (network 172.16.100.0 0.0.0.255)
Connected to port 0/1 of the 5505 is a Cisco 2811 Router Port 0/0 is assigned 192.168.1.254. Port 0/1 is assigned 172.16.100.1 Static Route of 0.0.0.0 0.0.0.0 192.168.1.1
Connected to port 0/1 of the 2811 is a Cisco 3550
See configs below
My issue is I can traceroute from the 3550 and only get as far as 172.16.100.1 If I traceroute on the 2811 to outside, I can get anywhere I want. This would seem to lead me to believe there is an issue on the 2811 router. What am I missing? Is DHCP an issue on the 5505?
Cisco 2811
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
duplex full
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 172.16.100.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
router eigrp 90
network 172.16.100.0 0.0.0.255
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Cisco 3550
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Corp3550
!
!
username admin privilege 15 secret 5 $1$2wiI$fG1Ywcao.75bbnacN.
!
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
authentication mac-move permit
mls qos
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
description Edge Port to Corp-2811
switchport access vlan 25
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface Vlan1
ip address dhcp ip address shutdown
!
interface Vlan10
description Vuepc Server Network
ip address 192.168.100.1 255.255.255.0
ip helper-address 192.168.100.3
!
interface Vlan25
description Transit Network
ip address 172.16.100.254 255.255.255.0
!
interface Vlan35
description Management Network
ip address 192.168.102.1 255.255.255.0
!
router eigrp 90
network 172.16.100.0 0.0.0.255
network 192.168.20.0
network 192.168.100.0
network 192.168.101.0
network 192.168.102.0
eigrp stub connected summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.100.1
ip route 0.0.0.0 0.0.0.0 192.168.1.1 254
ip http server
ip http authentication local
!
ip radius source-interface Vlan10
!
ip sla enable reaction-alerts
!
control-plane
routing cisco-asa
I bought some old network gear for a lab and now trying to set it up with a connection to my Comcast modem. I have a business class modem in bridged mode 0/0 - Global IP (Vlan2) 0/1 - 192.168.1.1 (Vlan10). DHCP is used on this device. Static route 0.0.0.0 0.0.0.0 (Global IP Gateway). Router EIGRP 90 (network 172.16.100.0 0.0.0.255)
Connected to port 0/1 of the 5505 is a Cisco 2811 Router Port 0/0 is assigned 192.168.1.254. Port 0/1 is assigned 172.16.100.1 Static Route of 0.0.0.0 0.0.0.0 192.168.1.1
Connected to port 0/1 of the 2811 is a Cisco 3550
See configs below
My issue is I can traceroute from the 3550 and only get as far as 172.16.100.1 If I traceroute on the 2811 to outside, I can get anywhere I want. This would seem to lead me to believe there is an issue on the 2811 router. What am I missing? Is DHCP an issue on the 5505?
Cisco 2811
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
duplex full
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 172.16.100.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
router eigrp 90
network 172.16.100.0 0.0.0.255
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Cisco 3550
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Corp3550
!
!
username admin privilege 15 secret 5 $1$2wiI$fG1Ywcao.75bbnacN.
!
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
authentication mac-move permit
mls qos
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
description Edge Port to Corp-2811
switchport access vlan 25
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface Vlan1
ip address dhcp ip address shutdown
!
interface Vlan10
description Vuepc Server Network
ip address 192.168.100.1 255.255.255.0
ip helper-address 192.168.100.3
!
interface Vlan25
description Transit Network
ip address 172.16.100.254 255.255.255.0
!
interface Vlan35
description Management Network
ip address 192.168.102.1 255.255.255.0
!
router eigrp 90
network 172.16.100.0 0.0.0.255
network 192.168.20.0
network 192.168.100.0
network 192.168.101.0
network 192.168.102.0
eigrp stub connected summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.100.1
ip route 0.0.0.0 0.0.0.0 192.168.1.1 254
ip http server
ip http authentication local
!
ip radius source-interface Vlan10
!
ip sla enable reaction-alerts
!
control-plane
routing cisco-asa
ASKER
I was assuming the FW wouldn't be blocking since I can traceroute from the 2811. It's the 3550 which doesn't which is behind the 2811.
Yes, I know. But the 3550 will be sourcing the traffic from 172.16.100.254 while the 2811 will be sourcing from 192.168.1.254. Which are completely different networks. To test this, you could do a traceroute from the 2811 but specify the source address as 172.16.100.1. While not absolutely conclusive, it is another data point.
A better data point are the answers my previous questions. ;-)
A better data point are the answers my previous questions. ;-)
ASKER
so if I understand right, you want me to traceroute from the 2811 which is the 172.16.100.1 using that IP.
i.e. - traceroute 172.16.100.1 which of course comes back as seeing itself and quits
i.e. - traceroute 172.16.100.1 which of course comes back as seeing itself and quits
ASKER
Disregard my last comment. After looking again I realized what you meant. Will check that when I get back to my desk.
No. Traceroute to whatever you were going to before. But specify 172.16.100.1 as the source, not the destination.
Are you not going to answer my questions? Because without that information, I'm firing blind and just making guesses.
Are you not going to answer my questions? Because without that information, I'm firing blind and just making guesses.
ASKER
using traceroute as requested went no where.
I've tried tracert from a windows machine that I placed in the management vlan (35) and was able to get to 192.168.102.1 and then 172.16.100.1 but no further
Looking at the FW config, I believe it needs to have icmp allowed in. In the logs of the FW, I see source (Public Gateway IP) to (Public Global IP) assigned to the FW getting denied
I've tried tracert from a windows machine that I placed in the management vlan (35) and was able to get to 192.168.102.1 and then 172.16.100.1 but no further
Looking at the FW config, I believe it needs to have icmp allowed in. In the logs of the FW, I see source (Public Gateway IP) to (Public Global IP) assigned to the FW getting denied
In the logs of the FW, I see source (Public Gateway IP) to (Public Global IP) assigned to the FW getting deniedJust as I suspected.
ASKER
well....after trying to follow along on a website on how to allow traceroute, I'm still having issues. Here is my FW config:
ASA Version 8.2(1)
!
hostname V***-ASA1
domain-name V***.com
enable password WsI18bVFQZP/a1Me encrypted
passwd WsI18bVFQZP/a1Me encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
Shutdown
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Vlan5
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Vlan12
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
description Comcast
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
description DMZ
switchport access vlan 5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
banner motd
banner motd +-------------------------
banner motd ||
banner motd |***Unauthorized Use or Access Prohibited***|
banner motd ||
banner motd |For Authorized Official Use Only|
banner motd |You must have explicit permission to access or |
banner motd |configure this device. All activities performed |
banner motd |on this device may be logged, and violations of |
banner motd |this policy may result in disciplinary action, and |
banner motd |may be reported to law enforcement authorities. |
banner motd ||
banner motd |There is no right to privacy on this device. |
banner motd ||
banner motd +-------------------------
banner motd
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DEFAULTDNS
domain-name V***.com
dns server-group DefaultDNS
domain-name V***.com
object-group icmp-type DEFAULTICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group icmp-type DM_INLINE_ICMP_1
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
access-list acl_outside extended permit icmp any any object-group DEFAULTICMP
access-list acl_outside extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any traceroute
access-list inside_access_in extended permit icmp any any unreachable
access-list inside_access_in extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside
access-group inside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 75.75.75.75 75.75.76.76
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain v***.com
!
dhcpd address 192.168.1.10-192.168.1.254
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map class_default
class-map inspection_default
match default-inspection-traffic
class-map inside-policy
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map inside-policy
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:55a6c66cb13
: end
ASA Version 8.2(1)
!
hostname V***-ASA1
domain-name V***.com
enable password WsI18bVFQZP/a1Me encrypted
passwd WsI18bVFQZP/a1Me encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
Shutdown
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Vlan5
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Vlan12
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
description Comcast
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
description DMZ
switchport access vlan 5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
banner motd
banner motd +-------------------------
banner motd ||
banner motd |***Unauthorized Use or Access Prohibited***|
banner motd ||
banner motd |For Authorized Official Use Only|
banner motd |You must have explicit permission to access or |
banner motd |configure this device. All activities performed |
banner motd |on this device may be logged, and violations of |
banner motd |this policy may result in disciplinary action, and |
banner motd |may be reported to law enforcement authorities. |
banner motd ||
banner motd |There is no right to privacy on this device. |
banner motd ||
banner motd +-------------------------
banner motd
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DEFAULTDNS
domain-name V***.com
dns server-group DefaultDNS
domain-name V***.com
object-group icmp-type DEFAULTICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group icmp-type DM_INLINE_ICMP_1
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
access-list acl_outside extended permit icmp any any object-group DEFAULTICMP
access-list acl_outside extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any traceroute
access-list inside_access_in extended permit icmp any any unreachable
access-list inside_access_in extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside
access-group inside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 75.75.75.75 75.75.76.76
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain v***.com
!
dhcpd address 192.168.1.10-192.168.1.254
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map class_default
class-map inspection_default
match default-inspection-traffic
class-map inside-policy
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map inside-policy
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:55a6c66cb13
: end
thats not your problem. The problem is that you only have NAT configured for the 192.168.1.0 network. Add a NAT statement for the 172.161.0.0 networks.
ASKER
I don't have enough experience yet with using NAT. Are you stating I need a dynamic nat rule exactly like the 192.168.1.0 rule is? I've added that and still no change
@NtHawk101,
You have to add the below line
nat (inside) 1 172.16.1.0 255.255.255.0
If that's not working, can you post the updated config here
Thanks
You have to add the below line
nat (inside) 1 172.16.1.0 255.255.255.0
If that's not working, can you post the updated config here
Thanks
Please post the current config of the ASA (and use the "code" feature when you post it here).
ASKER
Here you go. The line I added was exactly what you stated it should be
ASA Version 8.2(1)
!
hostname -ASA1
domain-name Vuepc.com
enable password WsI18bVFQZP/a1Me encrypted
passwd WsI18bVFQZP/a1Me encrypted
names
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Vlan5
nameif DMZ
security-level 50
ip address 172.16.1.1 255.255.255.0
!
interface Vlan12
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
description Comcast
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
description DMZ
switchport access vlan 5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
banner motd
banner motd +----------------------------+
banner motd ||
banner motd |***Unauthorized Use or Access Prohibited***|
banner motd ||
banner motd |For Authorized Official Use Only|
banner motd |You must have explicit permission to access or |
banner motd |configure this device. All activities performed |
banner motd |on this device may be logged, and violations of |
banner motd |this policy may result in disciplinary action, and |
banner motd |may be reported to law enforcement authorities. |
banner motd ||
banner motd |There is no right to privacy on this device. |
banner motd ||
banner motd +----------------------------+
banner motd
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DEFAULTDNS
domain-name .com
dns server-group DefaultDNS
domain-name V.com
object-group icmp-type DEFAULTICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group icmp-type DM_INLINE_ICMP_1
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
access-list acl_outside extended permit icmp any any object-group DEFAULTICMP
access-list acl_outside extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any traceroute
access-list inside_access_in extended permit icmp any any unreachable
access-list inside_access_in extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.100.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside
access-group inside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 75.75.75.75 75.75.76.76
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain vuepc.com
!
dhcpd address 192.168.1.10-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map class_default
class-map inspection_default
match default-inspection-traffic
class-map inside-policy
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
policy-map inside-policy
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:504cefd0ff49292bda6d6ea65ebd9fbf
: end
found it..
we need to mention the correct nameif interface
delete the line and add like below
nat (DMZ) 1 172.16.1.0 255.255.255.0
we need to mention the correct nameif interface
delete the line and add like below
nat (DMZ) 1 172.16.1.0 255.255.255.0
Still waiting for the answers to my questions though.
Is it just traceroute that stops at the 2811?
Or is all traffic from inside of the 2811 unable to get out?
Is it just traceroute that stops at the 2811?
Or is all traffic from inside of the 2811 unable to get out?
ASKER
still no luck....will post config when I get to the office. Have to get to work.
we need to mention the correct nameif interfaceNo... The traffic in question is coming from 172.16.100.0/24. That network is sourced on the "inside" interface.
ASKER
that's what I was wondering....didn't make sense to me that suddenly we're talking DMZ and 172.16.1.1 when we're dealing with 172.16.100.0 networks but hey, am so frustrated am willing to try anything once ...lol
So I've deleted that NAT rule.....the config would be back to the same as above.
So I've deleted that NAT rule.....the config would be back to the same as above.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yep. There's no route to the 172.16.100.0 network.
Sure would have been nice to know that it was all traffic as opposed to just ICMP.
Sure would have been nice to know that it was all traffic as opposed to just ICMP.
ASKER
Those changes would seem to be working as I can now traceroute from the FW back in to 192.168.1.254 and then 172.16.100.254. Thank you! Thank you!
@DonJohnston,
Sorry but since this is the beginning of a lab, there really isn't any traffic yet and why I was using traceroute to verify everything before putting other traffic on the network. I do have to thank you though for pointing the finger at the FW as I would not have thought that was the problem.
@DonJohnston,
Sorry but since this is the beginning of a lab, there really isn't any traffic yet and why I was using traceroute to verify everything before putting other traffic on the network. I do have to thank you though for pointing the finger at the FW as I would not have thought that was the problem.
@NtHawk101 - Nice to know that, its working
But i would like to tell you that, you are using very old version of ASA IOS. Try to upgrade to the latest and try to explore many option in ASA
Thanks
But i would like to tell you that, you are using very old version of ASA IOS. Try to upgrade to the latest and try to explore many option in ASA
Thanks
ASKER
Right, knew it was but seems you need to have special access on Cisco's site to have rights to download. Just a generic account there doesn't work.
Is it just traceroute that stops at the 2811? Or is all traffic from inside of the 2811 unable to get out?
Based on the information provided, I'm going to guess that the ASA is either not allowing either the returning traceroute messages to the network inside of the 2811, or it's not configured to allow any traffic from those networks or the ASA does not have a route to those inner networks.